Heartbleed bug still a threat after flawed patches

The majority of sites that attempted to protect themselves against Heartbleed have ended up no better for it, while some are actually more vulnerable than before.

Following Heartbleed's reveal on 7 April, sites scrambled to patch their OpenSSL installations and revoke their old certificates.

Now, data from a study conducted by Netcraft shows that many sites haven’t done enough to fully protect themselves from the bug.

Some 30,000 sites revoked their old certificates but did not replace their private keys, according to Netcraft. If these keys had been compromised it renders replacing the certificates moot: having the key allows a hacker to decrypt sensitive information and perform man-in the-middle attacks.

Re: Heartbleed bug still a threat after flawed patches

The following article is a update on Heartbleed

(Heartbleed still a critical threat)

Author:Zeljka Zorz HNS Managing Editor/ Posted on 29 August 2014.

Cyber attackers have been quick to exploit the Hearbleed OpenSSL bug, to the tune of hundreds of thousand attacks per day in the week after the public revelation of its existence, the statistics shared in the latest quarterly IBM X-Force Threat Intelligence report have shown.

"Much emphasis has been placed on preparing for and mitigating zero-day attacks, but in the case of Heartbleed, a more interesting study occurs after disclosure, when both attackers and enterprises are racing against the clock," noted Leslie Horacek, threat response manager for IBM X-Force security research group.

"IBM’s Managed Security Services (MSS) witnessed attackers immediately retooling and exploiting the bug on a global scale," she shared, and attacks came fast and thick (click on the screenshot to enlarge it):

Less then two weeks after, the number of attacks attempting to exploit the bug has dropped considerably, but is still significant. "MSS sees an average of 7,000 attacks per day across a large attack surface," it is noted in the report (registration required).